I am using .NET6 Application with JwtBearer Authentication. I bound the default configurations to the '.AddJwtBearer' and everything works fine so far.
The customer has however a new challenge that the application should be reached from two different URLs. One is Internet and one is VPN.
Each one of them has its own different ADFS which means different configurations. So what I need is to decide for each Request which Jwt configuration should be used to authenticate against.
I have looked up some solutions on the internet like using IConfigurationOptions and JwtBearerEvents but I am not sure if I am on the right track.
My idea is something like:
public class JwtSettingsConfiguration : IConfigureOptions<JwtBearerOptions>
{
private readonly IConfiguration _configuration;
public JwtSettingsConfiguration(IConfiguration configuration)
{
_configuration = configuration;
}
public void Configure(JwtBearerOptions options)
{
_configuration.Bind("JwtSettings", options);
options.EventsType = typeof(AuthEventsHandler);
// Set multiple settings
options.RequireHttpsMetadata = false;
options.SaveToken = true;
}
}
public class JwtSettingsVPNConfiguration : IConfigureOptions<JwtBearerOptions>
{
private readonly IConfiguration _configuration;
public JwtSettingsConfiguration(IConfiguration configuration)
{
_configuration = configuration;
}
public void Configure(JwtBearerOptions options)
{
_configuration.Bind("JwtSettingsVPN", options);
options.EventsType = typeof(AuthEventsHandler);
// Set multiple settings
options.RequireHttpsMetadata = false;
options.SaveToken = true;
}
}
And the registration would be:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
// Set multiple settings
services.AddSingleton<IConfigureOptions<JwtBearerOptions>, JwtSettingsConfiguration>();
services.AddSingleton<IConfigureOptions<JwtBearerOptions>, JwtSettingsVPNConfiguration>();
});
Am I getting things correctly? Is it the way to achieve it? Besides, how to decide which ADFS should the code check the token against?
Thanks for your help
My approach mentioned in the question was unfortunately incorrect. The best solution was to register multiple Configurations for the JWT and to update the default authentication schema to accept both configurations. It worked fine and the order of the configuration was irrelevant.
Here is the code snippet I used from the website:
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Audience = "https://localhost:5000/";
options.Authority = "https://localhost:5000/identity/";
})
.AddJwtBearer("AzureAD", options =>
{
options.Audience = "https://localhost:5000/";
options.Authority = "https://login.microsoftonline.com/eb971100-7f436/";
});
And to update the default policy:
builder.Services.AddAuthorization(options =>
{
var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
JwtBearerDefaults.AuthenticationScheme,
"AzureAD");
defaultAuthorizationPolicyBuilder =
defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
});
The AuthorizeAttribute has then worked without the need to specify the Schema explicitly.
I hope this could help someone who is facing a similar problem.